b'                Inadequate Accountability and Training for\n                  Key Security Employees Contributed to\n                Significant Computer Security Weaknesses\n\n                                   January 2004\n\n                       Reference Number: 2004-20-027\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\x0c                                             DEPARTMENT OF THE TREASURY\n                                                  WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                                   January 14, 2004\n\n\n       MEMORANDUM FOR CHIEF, MISSION ASSURANCE\n\n\n       FROM:                        Gordon C. Milbourn III\n                                    Acting Deputy Inspector General for Audit\n\n       SUBJECT:                     Final Audit Report \xe2\x80\x93 Inadequate Accountability and Training for\n                                    Key Security Employees Contributed to Significant Computer\n                                    Security Weaknesses (Audit # 200320006)\n\n\n       This report presents the results of our review of roles and responsibilities of employees\n       with key security duties. The overall objectives of this review were to determine\n       whether the roles and responsibilities of key Internal Revenue Service (IRS) security\n       employees were implemented consistently, and whether the employees had the\n       requisite training, formal education, and experience needed to carry out their\n       responsibilities.\n       System administrators and security specialists have day-to-day responsibility for\n       ensuring that the computer systems are set up and maintained in a secure manner.\n       Our previous audits,1 as well as a General Accounting Office review,2 have identified\n       security vulnerabilities that indicated these duties have not always been effectively\n       performed. We performed this audit to assess how well security responsibilities were\n       carried out on a broader scale.\n       In summary, our review of local servers and workstations at five locations again\n       identified significant security vulnerabilities. Vendor patches were not applied to\n       hardware and software to ensure known vulnerabilities were adequately mitigated,\n       configuration baselines were not maintained in order to identify unauthorized changes,\n\n       1\n         The Security of the Integrated Collection System Needs to Be Strengthened (Reference Number 2003-20-119, dated\n       May 2003), Penetration Test of Internal Revenue Service Computer Systems (Reference Number 2003-20-082, dated\n       March 2003), Many Advances Made But Additional Emphasis Is Needed on Key Initiatives in the Security Service\n       Organization (Reference Number 2003-20-005, dated October 2002), and Computer Security Controls Should Be\n       Strengthened in the Former Northern California District (Reference Number 2001-20-036, dated January 2001).\n       2\n         Progress Made, but Weaknesses at the Internal Revenue Service Continue to Pose Risks (GAO-03-44, dated May\n       2003).\n\x0c                                                2\n\naudit trails and event logs were not generated and reviewed, employees were given\naccess to computer systems although there was no record of managerial approval, and\nuser accounts were not deleted when employees separated.\nA major underlying cause for these conditions was that accountability for carrying out\nkey security responsibilities was not maintained. Interviews of IRS employees identified\nwidespread confusion in this area. We also identified instances in which duties were\nnot performed or not properly separated and, in some instances, duties were duplicated.\nAlso, employees with key security responsibilities did not have sufficient training. A\nsignificant percentage of employees believe that they had not received sufficient training\nto adequately perform their security-related duties. The training they received was not\nalways helpful because it was too general, not timely, or not work-related. Some\nemployees had not received any security training in the past 3 years.\nThe IRS has designated computer security a material weakness, as required by the\nFederal Managers\xe2\x80\x99 Financial Integrity Act of 1982.3 To correct this material weakness,\nthe IRS has developed a plan that it expects to implement by March 31, 2004. The plan\ncontains action items that address both the security roles and responsibilities issue, and\nthe security training issue. We plan to evaluate the effectiveness of these actions after\nthey have been fully implemented.\nWe recommended that the Chief, Mission Assurance, develop a methodology to\nevaluate system administrators\xe2\x80\x99 and security specialists\xe2\x80\x99 performance of their roles and\nresponsibilities with respect to security requirements. We also suggested conducting\nperiodic computer scans that will identify potential vulnerabilities. The results can be\nused to evaluate how well the employees are maintaining security on computers under\ntheir ownership. We also recommended that the Chief, Mission Assurance, take certain\nactions to ensure appropriate security training for key security personnel.\nManagement\xe2\x80\x99s Response: The Chief, Mission Assurance, concurred with our\nrecommendations. Mission Assurance is developing a methodology to evaluate system\nadministrators\xe2\x80\x99 and security specialists\xe2\x80\x99 role and responsibilities, which will be\naccomplished in two steps. Step one addresses training of system administrators and\nsecurity specialists, and step two addresses evaluating the performance of those\nemployees. In addition, it has identified employees with key security responsibilities.\nFor those employees, skill sets and appropriate security curriculum will be determined,\nand a policy statement on assessing skill sets and security training will be issued.\nManagement\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\nCopies of this report are also being sent to the IRS managers who are affected by the\nreport recommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems\nPrograms), at (202) 622-8510.\n\n\n3\n    31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, and 3512 (2000).\n\x0c              Inadequate Accountability and Training for Key Security Employees\n                  Contributed to Significant Computer Security Weaknesses\n\n\n\n\n                                                Table of Contents\n\n\nBackground ............................................................................................... Page 1\nKey Security Employees Did Not Always Perform\nTheir Responsibilities ................................................................................ Page 2\n         Recommendations1 and 2: ............................................................ Page 9\n\nAppendix I \xe2\x80\x93 Detailed Objectives, Scope, and Methodology ..................... Page 10\nAppendix II \xe2\x80\x93 Major Contributors to This Report........................................ Page 12\nAppendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 13\nAppendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .................... Page 14\n\x0c             Inadequate Accountability and Training for Key Security Employees\n                 Contributed to Significant Computer Security Weaknesses\n\n                                    In the Internal Revenue Service (IRS), technical computer\nBackground\n                                    security responsibilities are assigned to system\n                                    administrators and security specialists.1 Generally, system\n                                    administrators are responsible for day-to-day systems\n                                    operations and security specialists are responsible for\n                                    specific security tasks and security oversight. Both\n                                    positions are needed to ensure proper segregation of duties,\n                                    similar to a system of checks and balances. For example,\n                                    system administrators can make changes to computer\n                                    configurations and settings, while security specialists review\n                                    audit trails to identify unauthorized accesses and changes to\n                                    the configurations.\n                                    The Internal Revenue Manual (IRM) defines roles and\n                                    responsibilities for system administrators and security\n                                    specialists. The IRS\xe2\x80\x99 Information Technology Services\n                                    Office has the responsibility of implementing security duties\n                                    for the system administrators and security specialists, while\n                                    the Office of Security Services provides oversight and\n                                    guidance when needed.\n                                    In several of our prior audits,2 as well as a General\n                                    Accounting Office (GAO) review3 of the IRS, not having\n                                    clear roles and responsibilities and inadequate training for\n                                    employees with key security responsibilities have been cited\n                                    as the causes of many security vulnerabilities identified.\n                                    Those audits were conducted on individual applications or\n\n\n                                    1\n                                      We focused this review on system administrators\xe2\x80\x99 and security\n                                    specialists\xe2\x80\x99 responsibilities. While these positions are responsible for\n                                    most of the computer security tasks in the IRS, they are not the only\n                                    positions. Other positions, such as telecommunications analysts and\n                                    database administrators, also have important computer security\n                                    responsibilities.\n                                    2\n                                      The Security of the Integrated Collection System Needs to Be\n                                    Strengthened (Reference Number 2003-20-119, dated May 2003),\n                                    Penetration Test of Internal Revenue Service Computer Systems\n                                    (Reference Number 2003-20-082, dated March 2003), Many Advances\n                                    Made But Additional Emphasis Is Needed on Key Initiatives in the\n                                    Security Service Organization (Reference Number 2003-20-005, dated\n                                    October 2002), and Computer Security Controls Should Be Strengthened\n                                    in the Former Northern California District (Reference Number\n                                    2001-20-036, dated January 2001).\n                                    3\n                                      Progress Made, but Weaknesses at the Internal Revenue Service\n                                    Continue to Pose Risks (GAO-03-44, dated May 2003).\n                                                                                                    Page 1\n\x0c            Inadequate Accountability and Training for Key Security Employees\n                Contributed to Significant Computer Security Weaknesses\n\n                                   operating systems and, consequently, we limited our\n                                   assessments to local concerns. We performed this audit to\n                                   evaluate these two issues on a broader scale.\n                                   This audit was conducted in the Los Angeles, California,\n                                   and Oklahoma City, Oklahoma, area offices, a Washington,\n                                   D.C., satellite office, and the Atlanta, Georgia, and\n                                   Brookhaven, New York, Campuses4 from December 2002 to\n                                   June 2003. The employees we interviewed in these offices\n                                   were responsible for the operation of several diverse\n                                   systems and applications. The audit was conducted in\n                                   accordance with Government Auditing Standards. Detailed\n                                   information on our audit objectives, scope, and\n                                   methodology is presented in Appendix I. Major\n                                   contributors to the report are listed in Appendix II.\n                                   IRS employees\xe2\x80\x99 workstations are usually connected to\nKey Security Employees Did Not\n                                   sensitive data on local network servers as well as on larger\nAlways Perform Their\n                                   computers maintained in IRS computing centers5 and\nResponsibilities\n                                   campuses. Because of the trusted relationship between user\n                                   workstations and other servers on the network, a high\n                                   degree of security must be maintained over these computer\n                                   systems to prevent improper disclosure of taxpayer data,\n                                   attacks by malicious employees and hackers, and disruption\n                                   of operations. To provide an adequate level of security,\n                                   controls must be in place on each of the interconnected\n                                   workstations as well as the servers.\n                                   In November 2001, the IRS began implementing a Common\n                                   Operating Environment (COE) for all Windows-based\n                                   workstations. The COE provides a set of applications and\n                                   security standards and adequately addresses the most\n                                   common security vulnerabilities associated with\n                                   workstations. Currently, a majority of all Windows-based\n                                   workstations have been updated with the COE.\n\n\n\n                                   4\n                                     The campuses are the data processing arm of the IRS. The campuses\n                                   process paper and electronic submissions, correct errors, and forward\n                                   data to the computing centers for analysis and posting to taxpayer\n                                   accounts.\n                                   5\n                                     IRS computing centers support tax processing and information\n                                   management through a data processing and telecommunications\n                                   infrastructure.\n                                                                                                  Page 2\n\x0cInadequate Accountability and Training for Key Security Employees\n    Contributed to Significant Computer Security Weaknesses\n\n                       We purposely selected sites where the COE had been\n                       implemented because the COE represents the future of the\n                       IRS workstations nationwide, and we wanted to evaluate\n                       whether system administrators were maintaining adequate\n                       security controls after implementation. All workstations at\n                       the sites we visited contained the COE configuration and\n                       were adequately secured.\n                       However, we identified several vulnerabilities on the\n                       network servers at the sites we visited. A COE type of\n                       implementation is not feasible for servers because they have\n                       specific functionalities and require different configurations\n                       to operate. Instead, the IRS relies upon system\n                       administrators for proper configurations.\n                       We identified the following vulnerabilities that are\n                       consistent with findings reported in prior reports. We\n                       believe these problems are persistent and will remain until\n                       security roles and responsibilities are effectively carried out\n                       and employees are adequately trained and held accountable.\n                           \xe2\x80\xa2    Ten of 20 servers had at least 1 of the System\n                                Administration, Audit, Network Security (SANS)\n                                Institute/Federal Bureau of Investigation (FBI) Top\n                                20 security vulnerabilities6 that could have been\n                                resolved with current patches from the vendors. We\n                                consider these to be high-risk vulnerabilities.\n                           \xe2\x80\xa2    Eight of 12 system administrators were not aware of,\n                                or did not maintain or document, configuration\n                                baselines for systems under their control.\n                                Consequently, they could not compare current\n                                configurations against the baseline to identify\n                                unauthorized changes.\n                           \xe2\x80\xa2    Ten of 14 system administrators and security\n                                specialists did not generate or review audit trails or\n\n\n\n                       6\n                         The SANS Institute was established in 1989 as a research and\n                       education organization for government and private industry security.\n                       The SANS Institute, along with the FBI, periodically announces the list\n                       of top 20 computer security vulnerabilities, based on security incidents\n                       recently reported.\n                                                                                        Page 3\n\x0cInadequate Accountability and Training for Key Security Employees\n    Contributed to Significant Computer Security Weaknesses\n\n                              event logs to identify questionable activities on the\n                              network.\n                          \xe2\x80\xa2   Forty-one (39 percent) of 106 Information Systems\n                              User Registration/Change Request forms\n                              (Form 5081) were not available for our review.\n                              These forms are used to grant employees access to\n                              the network and applications. As such, IRS\n                              employees may have been given access to computer\n                              systems without managerial approval or a proper\n                              need to know.\n                          \xe2\x80\xa2   Twenty-eight (14 percent) of 206 user accounts were\n                              still active although the employees had been\n                              separated from the IRS an average of 139 days. One\n                              of these accounts had two suspicious accesses after\n                              the employee had separated. The former employee\n                              or another employee who knew the account\xe2\x80\x99s\n                              password may have made the accesses to the\n                              network. These accesses have been referred to the\n                              Office of Investigations for further analysis. None\n                              of the other 27 user accounts had accesses after the\n                              employees separated.\n                       These vulnerabilities can have a significant adverse effect\n                       on the overall security of information systems. When\n                       patches are not applied, computer components remain\n                       vulnerable to compromise. Not having audit trails may\n                       permit questionable system accesses and activities to go\n                       undetected. Employees given access to computer systems\n                       without proper approval or background investigations may\n                       misuse taxpayer data. In addition, user accounts of\n                       separated employees that are still active may be improperly\n                       used to gain access to systems and data.\n                       We attribute these vulnerabilities, in part, to inadequate\n                       accountability for security responsibilities and security\n                       training for key employees (i.e., system administrators and\n                       security specialists).\n                       Key security employees were not accountable for\n                       carrying out their responsibilities\n                       The lists of responsibilities for both system administrators\n                       and security specialists were specified in the IRM in\n                                                                              Page 4\n\x0cInadequate Accountability and Training for Key Security Employees\n    Contributed to Significant Computer Security Weaknesses\n\n                       January 2002. These responsibilities, if carried out, would\n                       have eliminated or at least reduced the vulnerabilities we\n                       continue to identify.\n                       For example, system administrator duties include:\n                       maintaining an up-to-date listing of current system users and\n                       at least annually distributing a list of users and their access\n                       profiles to appropriate managers for review, update, and\n                       certification; ensuring proper acquisition, installation,\n                       testing, protection, and use of system software; and\n                       maintaining current documentation that properly defines the\n                       technical hardware and software configuration of system\n                       and network connections.\n                       Security specialist duties include: ensuring user access is\n                       restricted to the minimum necessary to perform his/her\n                       duties; monitoring system integrity, protection levels, and\n                       security related events; and generating audit trails and\n                       security reports and distributing them to the appropriate\n                       managers for review.\n                       While these key security procedures were adequately\n                       defined, the vulnerabilities we identified and our interviews\n                       of system administrators and security specialists in five\n                       offices indicate widespread confusion on key security\n                       procedures. Even some managers of key security\n                       employees were not clear about their own responsibilities\n                       and their employees\xe2\x80\x99 security related duties.\n                       Our interviews with 29 system administrators and security\n                       specialists identified the following examples that\n                       demonstrate confusion over responsibilities. Managers did\n                       not actively monitor performance of these responsibilities.\n                          \xe2\x80\xa2   Five employees were confused over who had\n                              responsibility for maintaining Windows\n                              workstations and servers, as well as applying and\n                              testing computer patches.\n                          \xe2\x80\xa2   Four employees still retained their previous system\n                              administrator rights when their new position no\n                              longer required this access privilege.\n\n\n\n\n                                                                               Page 5\n\x0cInadequate Accountability and Training for Key Security Employees\n    Contributed to Significant Computer Security Weaknesses\n\n                             \xe2\x80\xa2    Three employees were performing both system\n                                  administrator and security specialist duties on the\n                                  same system.\n                             \xe2\x80\xa2    One employee did not know whether the users on\n                                  the server were authorized users.\n                             \xe2\x80\xa2    Five employees were performing duties from their\n                                  previous position, while adding their new security\n                                  duties.\n                             \xe2\x80\xa2    Two employees in one office were assigned the\n                                  same duties of identifying separated employees, yet\n                                  neither performed this responsibility.\n                       The IRS has designated computer security as a material\n                       weakness, as required by the Federal Managers\xe2\x80\x99 Financial\n                       Integrity Act of 1982.7 Security roles and responsibilities\n                       have been categorized as a subset of this material weakness,\n                       and the IRS has developed a plan for resolving this material\n                       weakness by March 31, 2004. The plan identifies\n                       (1) corrective actions, (2) the agency organization\n                       responsible for correcting each type of weakness, (3) key\n                       milestones with completion dates, and (4) the status of\n                       actions.\n                       The IRS\xe2\x80\x99 material weakness plan contains action items\n                       designed to appropriately delineate security roles and\n                       responsibilities within functional business, operating, and\n                       program units and to appropriately segregate system\n                       administration and security administration responsibilities.\n                       This plan also lists actions to be taken to optimally\n                       configure system software to ensure the security and\n                       integrity of system programs, files, and data, including\n                       development of the process to publish and deploy operating\n                       system patches. Many of these actions are pending. We\n                       plan to conduct an in-depth analysis of the material\n                       weakness plan and validate the results in other reviews.\n                       The plan, however, does not address how Modernization\n                       and Information Technology Services managers and\n                       employees are going to be held accountable for carrying out\n\n\n                       7\n                           31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, and 3512 (2000).\n                                                                                  Page 6\n\x0cInadequate Accountability and Training for Key Security Employees\n    Contributed to Significant Computer Security Weaknesses\n\n                       security roles. The National Aeronautics and Space\n                       Administration (NASA), for example, has placed\n                       responsibility for technical security controls on system\n                       administrators and periodically runs computer scans to\n                       identify vulnerabilities. System administrators are then\n                       evaluated on the number of vulnerabilities reported per\n                       workstation. While this approach should not be the only\n                       means to evaluate system administrators, it clearly gives\n                       managers an indication of potential issues that may need\n                       attention and shows administrators how they are doing in\n                       relation to others in their agency.\n                       Employees with key security responsibilities did not\n                       have sufficient training\n                       When we began our audit work, we asked security officials\n                       to identify the IRS employees with key security\n                       responsibilities so we could evaluate the training provided\n                       IRS-wide. Because the IRS was not able to identify\n                       employees with key security responsibilities, we limited our\n                       testing to those employees in the offices we reviewed.\n                       The IRS\xe2\x80\x99 training database contained accurate training\n                       histories for the employees included in our test. However,\n                       8 of the 29 system administrators, security specialists, and\n                       customer support personnel we interviewed did not receive\n                       sufficient training to perform their related duties. Six of the\n                       8 personnel had not received any security training in the\n                       past 3 years. Recommended courses for these positions\n                       include: Norton Anti-Virus for Administrators,\n                       Microcomputer Security - Windows NT, Voice and Data\n                       Security, Securing Communications and Networks, and\n                       Internet and System Security.\n                       Twelve of the 29 employees stated that they had not\n                       received sufficient training to adequately perform their\n                       duties. They believe the training they had received was not\n                       always helpful because it was too general, not timely, or not\n                       sufficiently work-related.\n                       In addition to training, we evaluated the formal education\n                       and experience of employees that we interviewed. The\n                       interviews showed that 5 of the 29 employees had received\n                       a computer-related college degree. An additional\n\n                                                                               Page 7\n\x0cInadequate Accountability and Training for Key Security Employees\n    Contributed to Significant Computer Security Weaknesses\n\n                       12 employees had taken college computer-related courses,\n                       most of which were taken prior to the employees getting\n                       their current positions. The remaining 12 employees had no\n                       formal computer-related education, and 2 of those did not\n                       have any computer experience prior to getting their current\n                       positions. Not having computer-related education and\n                       experience may indicate that some employees in the field\n                       are not fully qualified to perform their assigned\n                       responsibilities.\n                       The National Institute of Standards and Technology (NIST)\n                       and the GAO recommend that computer security training\n                       should be role-based. Role-based learning focuses on the\n                       job functions employees perform rather than on their job\n                       titles. In particular, it provides security training that\n                       satisfies the specific requirements of an employee\xe2\x80\x99s role.\n                       The NIST and the GAO also recommend that methods\n                       should be employed for determining whether employees\n                       have learned and retained what they have been taught and\n                       whether their performance has improved.\n                       The IRS has also designated security training as a subset to\n                       the computer security material weakness. The IRS\xe2\x80\x99 material\n                       weakness plan provides steps to deliver sufficient technical\n                       security-related training to key personnel. The plan includes\n                       steps to identify security-related training needs for\n                       employees based on their roles and responsibilities and to\n                       update current online and classroom courses for key\n                       personnel. These actions are still in process.\n                       Subsequent to the start of this audit, the IRS identified\n                       288 employees with significant computer security\n                       responsibilities, based on the criteria that 25 percent of their\n                       time is spent on computer security activities. We disagree\n                       with this methodology because other employees have\n                       important computer security responsibilities even though\n                       those responsibilities do not consume 25 percent of their\n                       time. These employees include system administrators,\n                       telecommunications analysts, and database administrators.\n\n\n\n\n                                                                                Page 8\n\x0cInadequate Accountability and Training for Key Security Employees\n    Contributed to Significant Computer Security Weaknesses\n\n                       Recommendations\n\n                       The Chief, Mission Assurance, should:\n                       1. Develop a methodology to evaluate system\n                          administrators\xe2\x80\x99 and security specialists\xe2\x80\x99 performance of\n                          their roles and responsibilities. We encourage the Chief,\n                          Mission Assurance, to consider methodologies similar to\n                          those used by the NASA that provide quantifiable\n                          results and suggest conducting periodic computer scans\n                          that will identify vulnerabilities. The results can be used\n                          to evaluate how well the employees are maintaining\n                          security on computers under their stewardship.\n                       Management\xe2\x80\x99s Response: Mission Assurance management\n                       plans to develop a methodology to evaluate system\n                       administrators\xe2\x80\x99 and security specialists\xe2\x80\x99 roles and\n                       responsibilities in a two-step process. Step one involves\n                       linking training to position descriptions and developing\n                       related training courses that address current technology and\n                       policies. Step two involves developing a strategic planning\n                       document that identifies implementation schedules and\n                       milestones for evaluating employee performance.\n                       2. Ensure the current effort to identify security training\n                          needs will result in appropriate security training for\n                          employees with key security duties by:\n                          \xe2\x80\xa2   Identifying employees in all offices with key roles\n                              and responsibilities.\n                          \xe2\x80\xa2   Establishing Knowledge, Skills, and Abilities (KSA)\n                              standards for key personnel.\n                          \xe2\x80\xa2   Assessing the KSAs of key personnel.\n                          \xe2\x80\xa2   Allocating sufficient funds to ensure key personnel\n                              are recruited and trained.\n                       Management\xe2\x80\x99s Response: Mission Assurance management\n                       has identified employees with key security responsibilities\n                       and has moved qualified individuals into security positions.\n                       For these employees, they plan to identify skill sets and\n                       appropriate training, and issue a policy statement on\n                       assessing those skill sets and security training.\n\n                                                                              Page 9\n\x0c             Inadequate Accountability and Training for Key Security Employees\n                 Contributed to Significant Computer Security Weaknesses\n\n                                                                                                  Appendix I\n\n\n                         Detailed Objectives, Scope, and Methodology\n\nThe overall objectives of this review were to determine whether the roles and responsibilities of\nkey Internal Revenue Service (IRS) security employees were implemented consistently, and\nwhether these employees had the requisite training, formal education, and experience needed to\ncarry out their responsibilities.\nI.      To evaluate the adequacy of policies and guidelines that had been developed to ensure\n        Windows computer systems were installed and maintained in a secure manner, the\n        administrators were properly trained in their jobs, and there was appropriate separation of\n        duties, we:\n        A.       Reviewed guidance documents from Federal Government sources (e.g., Internal\n                 Revenue Manual, Treasury Directives, and the National Institute of Standards and\n                 Technology) and computer industry sources (e.g., the System Administration,\n                 Audit, Network Security Institute1).\n        B.       Interviewed End User Equipment and Services (EUES) management to determine\n                 the roles of the system administrators and security specialists and how they\n                 differed, and determine the roles of the EUES organization for ensuring adequate\n                 Local Area Network (LAN) security. Also, we determined what training was\n                 available, and what other guidelines or policies had been established to assist the\n                 administrators and specialists.\n        C.       Evaluated the system administrators\xe2\x80\x99 and security specialists\xe2\x80\x99 roles and\n                 responsibilities to determine whether duties were adequately separated.\nII.     To determine whether security roles and responsibilities were effectively carried out, we\n        selected 5 sites that employed the IRS\xe2\x80\x99 Common Operating Environment and interviewed\n        29 system administrators, security specialists, and customer support personnel available\n        during our on-site visit. At these sites, we:\n        A.       Used the Internet Security Scanner software and scanned a total of\n                 90 workstations and 20 servers to identify security threats to the systems.\n        B.       Evaluated controls used by either the system administrator or security specialist to\n                 ensure users had a business need to access the LAN and were authorized to access\n                 it. Also, we identified recent employee departures to determine if their LAN\n                 access was still active.\n\n\n1\n The System Administration, Audit, Network Security Institute was established in 1989 as a research and education\norganization for government and private industry security.\n                                                                                                         Page 10\n\x0c     Inadequate Accountability and Training for Key Security Employees\n         Contributed to Significant Computer Security Weaknesses\n\nC.      Determined whether the system administrators or security specialists ran system\n        logs and audit trails for the network, and whether the logs and audit trails were\n        reviewed for inappropriate accesses.\nD.      Interviewed the system administrators and security specialists to determine what\n        functions they perform, the level of training they had received, and the accuracy\n        of the IRS\xe2\x80\x99 training database.\n\n\n\n\n                                                                                   Page 11\n\x0c          Inadequate Accountability and Training for Key Security Employees\n              Contributed to Significant Computer Security Weaknesses\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nKent Sagara, Audit Manager\nLouis Lee, Senior Auditor\nBill Lessa, Senior Auditor\nAbraham Millado, Senior Auditor\nJoan Raniolo, Senior Auditor\nLarry Reimer, Senior Auditor\nStasha Smith, Senior Auditor\nCharles Ekholm, Auditor\nSuzanne Noland, Auditor\n\n\n\n\n                                                                                         Page 12\n\x0c          Inadequate Accountability and Training for Key Security Employees\n              Contributed to Significant Computer Security Weaknesses\n\n                                                                           Appendix III\n\n\n                               Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDirector, End User Equipment & Services OS:CIO:I:EU\nDirector, Enterprise Operations OS:CIO:I:EO\nActing Director, Portfolio Management OS:CIO:R:PM\nActing Director, Regulatory Compliance OS:MA:RC\nActing Director, Strategy, Program Management, and Personnel Security OS:MA:SP\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaison: Chief, Mission Assurance OS:MA\n\n\n\n\n                                                                                 Page 13\n\x0cInadequate Accountability and Training for Key Security Employees\n    Contributed to Significant Computer Security Weaknesses\n\n                                                               Appendix IV\n\n\n         Management\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                                    Page 14\n\x0cInadequate Accountability and Training for Key Security Employees\n    Contributed to Significant Computer Security Weaknesses\n\n\n\n\n                                                                    Page 15\n\x0cInadequate Accountability and Training for Key Security Employees\n    Contributed to Significant Computer Security Weaknesses\n\n\n\n\n                                                                    Page 16\n\x0cInadequate Accountability and Training for Key Security Employees\n    Contributed to Significant Computer Security Weaknesses\n\n\n\n\n                                                                    Page 17\n\x0cInadequate Accountability and Training for Key Security Employees\n    Contributed to Significant Computer Security Weaknesses\n\n\n\n\n                                                                    Page 18\n\x0c'